def find_macho_valid(base_ea): ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN, 0xFACF) if ea_list[0] == ida_idaapi.BADADDR: ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN, 0xFEEDFACF) if ea_list[0] != ida_idaapi.BADADDR: func_ea = ida_funcs.get_func(ea_list[0]).start_ea print("\t[+] _macho_valid = 0x%x" % (func_ea)) idc.set_name(func_ea, "_macho_valid", idc.SN_CHECK) return func_ea return ida_idaapi.BADADDR
def find_target_early_init(base_ea): ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN, 0x4A41) if ea_list[0] != ida_idaapi.BADADDR: func_ea = ida_funcs.get_func(ea_list[0]).start_ea print("\t[+] _target_early_init = 0x%x" % (func_ea)) idc.set_name(func_ea, "_target_early_init", idc.SN_CHECK) tei_ea = func_ea str_ea = ida_search.find_text(tei_ea, 1, 1, "All pre", ida_search.SEARCH_DOWN) if str_ea != ida_idaapi.BADADDR: f_ea = idaapi.get_func(str_ea).start_ea if tei_ea != f_ea: print("\t[-] _platform_not_supported = not found") return tei_ea bl_ea = str_ea + 8 dst = idc.print_operand(bl_ea, 0) pns_ea = idc.get_name_ea_simple(dst) print("\t[+] _platform_not_supported = 0x%x" % (pns_ea)) idc.set_name(pns_ea, "_platform_not_supported", idc.SN_CHECK) return tei_ea print("\t[-] _target_early_init = not found") return ida_idaapi.BADADDR
def find_img4decodeinit(base_ea): cur_ea = base_ea while true: ea_list = ida_search.find_imm(cur_ea, ida_search.SEARCH_DOWN, 0x494D) if ea_list[0] == ida_idaapi.BADADDR: ea_list = ida_search.find_imm(cur_ea, ida_search.SEARCH_DOWN, 0x494D0000) if ea_list[0] != ida_idaapi.BADADDR: ea = ea_list[0] func = ida_funcs.get_func(ea) func_ea = 0 if not func: func_ea = ida_search.find_binary(ea, base_ea, "?? ?? BD A9", 16, ida_search.SEARCH_UP) if func_ea != ida_idaapi.BADADDR: ida_funcs.add_func(func_ea) else: print("\t[-] _Img4DecodeInit = not found") return ida_idaapi.BADADDR else: func_ea = func.start_ea ea_func_list = list(idautils.XrefsTo(func_ea)) if not ea_func_list: cur_ea = ea + 4 continue if ea_func_list[0].frm != ida_idaapi.BADADDR: try: i4d_ea = ida_funcs.get_func(ea_func_list[0].frm).start_ea print("\t[+] _Img4DecodeInit = 0x%x" % (i4d_ea)) idc.set_name(i4d_ea, "_Img4DecodeInit", idc.SN_CHECK) return i4d_ea except: break cur_ea = ea + 4 print("\t[-] _Img4DecodeInit = not found") return ida_idaapi.BADADDR
def find_image4_validate_property_callback_interposer(base_ea): ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN, 0x424E) if ea_list[0] == ida_idaapi.BADADDR: ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN, 0x424E0000) if ea_list[0] != ida_idaapi.BADADDR: func_ea = ida_funcs.get_func(ea_list[0]).start_ea print("\t[+] _image4_validate_property_callback_interposer = 0x%x" % (func_ea)) idc.set_name(func_ea, "_image4_validate_property_callback_interposer", idc.SN_CHECK) return func_ea print("\t[-] _image4_validate_property_callback_interposer = not found") return ida_idaapi.BADADDR
def find_immediate(expression): if isinstance(expression, str): expression = eval(expression) ea, imm = ida_search.find_imm(0, idc.SEARCH_DOWN, expression) while ea != idc.BADADDR: yield ea ea, imm = idc.find_imm(ea + 1, idc.SEARCH_DOWN, expression)
def find_image4_load(base_ea): ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN, 0x4D650000) if ea_list[0] != ida_idaapi.BADADDR: func_ea = ida_funcs.get_func(ea_list[0]).start_ea print "\t[+] _image4_load = 0x%x" % (func_ea) idc.set_name(func_ea, "_image4_load", idc.SN_CHECK) return func_ea return ida_idaapi.BADADDR
def find_macho_valid(base_ea): ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN, 0xFACF) if ea_list[0] != 0xffffffffffffffff: func_ea = ida_funcs.get_func(ea_list[0]).start_ea print("\t[+] _macho_valid = 0x%x" % (func_ea)) idc.MakeName(func_ea, "_macho_valid") return func_ea return 0xffffffffffffffff
def find_wdf_callback_through_immediate(mnemonic, operand, val): for i in range(10): addr, operand_ = ida_search.find_imm(ida_ida.inf_get_min_ea(), idc.SEARCH_DOWN | idc.SEARCH_NEXT, val) if addr != idc.BADADDR: #print hex(addr), idc.GetDisasm(addr), "Operand ", operand_ if operand_ == operand and idc.print_insn_mnem(addr) == mnemonic: return addr else: break return None
def find_img4decodeinit(base_ea): ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN, 0x494D0000) if ea_list[0] != ida_idaapi.BADADDR: func_ea = ida_funcs.get_func(ea_list[0]).start_ea ea_func_list = list(idautils.XrefsTo(func_ea)) if ea_func_list[0].frm != ida_idaapi.BADADDR: i4d_ea = ida_funcs.get_func(ea_func_list[0].frm).start_ea print "\t[+] _Img4DecodeInit = 0x%x" % (i4d_ea) idc.set_name(i4d_ea, "_Img4DecodeInit", idc.SN_CHECK) return i4d_ea return ida_idaapi.BADADDR
def find_crypt_info(): info = {'addr': [], 'xor_key': ''} # Find the decryption routines addr = 0 while True: # Search for magic value in the decryption functions addr, _ = ida_search.find_imm(addr + 1, SEARCH_DOWN, 0x3C6EF35F) if addr == 0xffffffff: break info['addr'].append(ida_funcs.get_func(addr).startEA) inst_addr = addr # Find xor key info['xor_key'] = find_xor_key(inst_addr) return info
def find_crypt_info(): info = { 'addr': [], 'xor_key': '' } # Find the decryption routines addr = 0 while True: # Search for magic value in the decryption functions addr, _ = ida_search.find_imm(addr + 1, SEARCH_DOWN, 0x3C6EF35F) if addr == 0xffffffff: break info['addr'].append(ida_funcs.get_func(addr).startEA) inst_addr = addr # Find xor key info['xor_key'] = find_xor_key(inst_addr) return info
def find_stack_chk_fail(base_ea): ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN, 0x7CC8) if ea_list[0] != ida_idaapi.BADADDR: func_ea = ida_funcs.get_func(ea_list[0]).start_ea print("\t[+] _stack_chk_fail = 0x%x" % (func_ea)) idc.set_name(func_ea, "_stack_chk_fail", idc.SN_CHECK) return func_ea else: str_ea = ida_search.find_text(base_ea, 1, 1, "__stack_chk_fail", ida_search.SEARCH_DOWN) if str_ea != ida_idaapi.BADADDR: for xref in idautils.XrefsTo(str_ea): func = idaapi.get_func(xref.frm) print("\t[+] _stack_chk_fail = 0x%x" % (func.start_ea)) idc.set_name(func.start_ea, "_stack_chk_fail", idc.SN_CHECK) return func.start_ea return ida_idaapi.BADADDR
def findImmediate(self, range_start, range_end, value): """Return all of the places (in the range) in which the immediate value was found. Args: range_start (int): ea of the range's start range_end (int): ea of the range's end value (int): value of the searched immediate Return Value: collection of ea's in which the value was found """ search_pos = range_start while search_pos < range_end: match_ea, garbage = ida_search.find_imm(search_pos, idc.SEARCH_DOWN, value) search_pos = match_ea + 1 # Filter out mismatches if match_ea == idc.BADADDR: break # return the correct result to the caller yield match_ea